If you don't like the default {controller/action/params} shape then CakePHP
accepts your own custome URLs by using URL Routes, check this out "Custom
URLs from the Site
Root<http://bakery.cakephp.org/articles/view/custom-urls-from-the-site-root>
".
Moreover, having controller name, action, and params explicitly viewable by
the users is not a security issue because even if you hide them they will be
viewable by a lot of tools that give you a lot of information about "client
- server" transactions, like "live HTTP
header<https://addons.mozilla.org/en-US/firefox/addon/3829>"
plugin for FireFox.
The real security land is your server, where you need to protect your self
from SQL injections, XSS ... etc, and for this reason CakePHP provides you
with a very nice built in tools to satisfy this objective, like the Security
Component <http://book.cakephp.org/view/324/The-Security-Component>, and the
Sanitize
Class<http://book.cakephp.org/view/321/Data-Sanitation-The-Sanitize-Class>and
a lot of more!
On Mon, Jan 12, 2009 at 6:27 PM, SethA <[email protected]> wrote:
>
> I'm new to all this. It all started with a desire on my part to start
> building some PHP based apps on my own time. I'm not a programmer by
> trade, so try to be understanding with me :). After months of [part
> time] googling, I've become familiar (somewhat) with MVC, why it is
> important, frameworks, why I should use one, etc. (problem with
> googling is that in a fluid landscape, often times it is hard to
> discern obsolete info/articles from contemporary and current best
> practices) Haven't started anything yet due to my perfectionism
> wanting to "do it right" the first time. I've finally gotten myself to
> the point of taking that leap, and I think I am ready. Not wanting to
> write spaghetti PHP just to have to redo later in a better way it once
> I get my feet wet.... Up till now, I've just been finding my way by
> stumbling across this blog, that article, yada yada. This is my first
> time posting anywhere to ask specific questions that are troubling me.
>
> I've been trying to find a good framework, what do most people use
> these days, yada, yada. Yeah, I know probably a stupid question. I
> have looked at Phrame (I know...) because some [old] articles I read
> during my research used it as an example for MVC based apps. I was
> tempted to build my first app with it, but decided that due to its
> apparent lack of maintenance and aging state (uses PHP4), I should
> find out what else is out there. Stumbled across CakePHP, and this
> seems like a good place to begin (at least). I haven't completely
> settled on this as my choice to dive in and am hoping the answer I get
> can help me fully decide.
>
> Soooo, anywho... here goes. What is bothering me as I have begun
> looking through the docs and the example blog app is this: I see that
> the basic mechanism for the web app to trigger various actions and so
> forth is to use URLs of this form "site.com/controller/action/param1/
> param2 <http://site.com/controller/action/param1/param2>". I fully accept
> that I may be the idiot of the year for asking
> whether I am wrong in thinking that this is a basic security problem?
> I personally don't want to expose this to an end user. I guess I am
> thinking that anyone could attempt to type a desired action into the
> address bar whether or not the application should allow them to take
> that action. For example, /posts/delete/52. Obviously you could/should
> build the logic into the controller to check the rights for the user
> to take an action, in this case maybe delete a particular blog post,
> only if the user has rights to do so. That goes without saying, and I
> consider a must anyway.
>
> But I would still prefer to not even expose the application controller
> logic at all to the end user if that is possible. I would assume that
> CakePHP can just as easily use POST variables to contain the action
> and params and then a redirect to avoid the "browser refresh" issue
> that POST tends to create. Is this assumption correct? Am I crazy for
> even worrying about this? I'm curious if most people just follow the
> generic CakePHP convention for URLs (controller/action/params), or if
> there is something that is a better practice to implement.
>
> >
>
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"CakePHP" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to
[email protected]
For more options, visit this group at
http://groups.google.com/group/cake-php?hl=en
-~----------~----~----~----~------~----~------~--~---
